The Internet of Things (IoT), in short, means taking all machines, devices and things and connecting them to the internet; which means appliances such as fridges, coffee machines, kettles and TVs, and devices like pacemakers and blood pressure monitors are all connected to the internet. There are many benefits to connecting these devices to the internet and embedding computers in them which enables collecting, sending, receiving and acting on data and information generated IoT devices. Forbes predicts the Internet of Things market will be worth around $520 Billion globally in 2020, in 2017 the global market was $235 Billion.
With internet connected devices that are everywhere from hospitals, manufacturing warehouses, streets, and your home, the security of these devices is very important. Imagine waking up to find out your fridge participated in a DDoS attack overnight, and that your microwave, doorbell, and kettle have been the victim of ransomware attacks and have to be replaced.
Hacking a Smart Kettle
Earlier this year, Packetlabs was asked by the Hackable podcast to investigate a smart, WiFi enabled kettle and create some working exploits to demonstrate on the podcast. After our research we found a way to steal the WiFi password of a user’s home network from the kettle, the only requirement is to be within WiFi range of the kettle. The episode, number 26, is titled “Malicious Brews” and can be listened to here.
Here’s how it works at a high-level:
Send crafted WiFi messages to the kettle to deauthenticate it from its current WiFi network
Create a fake WiFi network that mimicks the original WiFi network
The kettle joins the rogue WiFi network
Connect to the kettle using the default password of “000000”
Enter a command to display the WiFi passwords the kettle has stored.
Once the attacker has the victims WiFi password, they can connect to the network and attack any devices on the network. In the podcast, the attacker ends up compromising Geoff’s Facebook credentials; an attacker could also hack into laptops and smartphones to install malware, steal documents, or monitor any traffic on the network to steal account credentials for email and online banking.
Here are some quick tips for helping you secure your home or business smart devices:
Stick with known manufacturers: Avoid purchasing smart devise from lesser-known makers, and knock-offs as they likely have not invested as much in security measures.
Keep devices updated: Keeping your device software up-to-date will help ensure any security vulnerabilities are patched.
Make a tough password: Protect your devices using secure passwords that use upper and lower cases, numbers and special characters, the longer the password the better.
Many of these IoT devices perform simple functions such as boiling water for tea, altering you when someone rings your doorbell, or remotely controlling the temperature of your home, which is why many people do not think about taking extra steps to secure these devices and trust the manufacturer has taken sufficient measures in securing the devices for them.
While homes and offices alike may be getting smarter, these smart devices act like gateways for cyber criminals allowing hackers to gain access to devices on your network such as laptops and mobile phones putting sensitive data at risk. At the end of 2018 it was projected that 23 billion IoT devices were connected to the internet, and that number will rise by 3 billion before the end of 2019!
There are many ways to ensure the security of your home or office, the above tips are only some of the crucial steps to take to quickly improve security. If you are interested in an attack demonstration and what an adversary could do once they have gained access to your home check out the podcast here!